Vulnerability scanning, patch management, pen testing, and attack surface management
47 total articles
A secret, in software and infrastructure contexts, is any credential that grants access to a protected resource: API keys, OAuth tokens, database passwords, TLS private keys, SSH private keys, encryption keys, service account credentials, and webhook secrets.
Infrastructure as Code (IaC) is the practice of defining, provisioning, and managing computing infrastructure through machine-readable configuration files rather than through manual processes or interactive user interfaces.
A container registry is a storage and distribution system for container images. Docker Hub is the most widely known public registry.
SQL injection (SQLi) is a code injection vulnerability that occurs when an application constructs database queries by concatenating user-supplied input directly into a SQL statement without proper sanitization or parameterization.
Modern applications are not primarily written code. They are primarily assembled code.
Server-Side Request Forgery (SSRF) is a web application vulnerability that allows an attacker to cause the server to make HTTP requests to unintended destinations.
Application security testing is not one discipline. It is three distinct approaches, each looking at the same problem from a different vantage point.
Path traversal, also called directory traversal, is a vulnerability in which an application uses user-controlled input to construct a file path without adequately restricting that input to an intended directory.
Deserialization attacks exploit the process by which an application reconstructs a complex object from a stream of bytes.
Cross-site scripting (XSS) is a web application vulnerability in which an attacker injects malicious JavaScript (or other client-side script) into a web page that is then executed in the browsers of other users who visit that page.
Command injection is a class of attack in which an application passes unsanitized user input to an operating system shell, and the attacker uses shell metacharacters to append or substitute their own commands for execution.
The CI/CD pipeline (Continuous Integration and Continuous Delivery, or Continuous Deployment) is the automated system that takes source code from a repository, builds it into a deployable artifact, tests it, and deploys it to production.
A technical analysis of dependency confusion attacks against software supply chains, covering the attack mechanism, Alex Birsan's 2021 discovery, real-world exploitation cases, and defense mechanisms including namespace scoping, registry configuration, and integrity verification. Mapped to CDA's Continuous Surface Reduction methodology.
A comprehensive examination of the security implications of organizational dependence on open source software. Covers Log4Shell, the event-stream npm hijacking, the xz utils backdoor, Software Composition Analysis tooling, OpenSSF governance, and how CDA's Continuous Surface Reduction methodology addresses open source risk through dependency management and SCA scanning.
A production-grade guide to SBOM formats, generation tooling, operational workflows, and regulatory context under EO 14028. Covers SPDX, CycloneDX, VEX, and how CDA's Continuous Surface Reduction methodology uses SBOMs to eliminate attack surface at the component level.
Operational runbook for penetration test coordination procedures.
Operational runbook for patch management cycle procedures.
Operational runbook for vulnerability scan execution procedures.
Practice Linux and Windows privilege escalation techniques to understand post-exploitation risks.
Practice identifying and remediating security vulnerabilities in application source code.
Practice container image scanning, runtime security, and supply chain verification for Docker environments.
Building a remediation tracking system that assigns ownership, enforces SLAs, and reports on vulnerability closure rates.
Planning and executing red team engagements that simulate realistic adversary behavior to test organizational defenses.
Assessing cloud infrastructure configurations against security benchmarks and identifying cloud-specific vulnerabilities.
Automating security testing processes to achieve continuous assessment without manual intervention for routine checks.
Managing vulnerabilities in third-party software, libraries, and components through SCA tools and vendor coordination.
Establishing a vulnerability disclosure program that enables external researchers to report security findings responsibly.
Integrating static and dynamic application security testing into the development lifecycle for continuous vulnerability identification.
Systematically identifying, measuring, and reducing the organization's external and internal attack surface.
Designing and managing a penetration testing program that validates controls and identifies exploitable vulnerabilities.
Deploying and tuning WAF rules to protect web applications from common attacks while minimizing false positives.
Establishing continuous vulnerability scanning across infrastructure, applications, and cloud environments with defined SLAs for remediation.
Operating an effective patch management program that balances speed of remediation with change management and system stability.
Securing Kubernetes clusters: RBAC, network policies, pod security standards, secrets management, and supply chain controls.
CWPP capabilities for protecting VMs, containers, and serverless: runtime protection, file integrity, and behavioral monitoring.
Protecting package managers from dependency confusion, typosquatting, and namespace hijacking attacks.
Safe assessment methodology for industrial control systems: passive reconnaissance, protocol analysis, and risk-based testing.
End-to-end software supply chain security: secure development, dependency management, build integrity, and distribution verification.
Integrating container image scanning into CI/CD: base image selection, layer analysis, runtime scanning, and admission control.
OWASP Top 10 mapped to detection, remediation, and testing strategies for each vulnerability class.
Managing open-source risk through SCA: dependency scanning, SBOM generation, license compliance, and supply chain security.
Systematic approach to API security assessment: discovery, authentication testing, authorization bypass, business logic, and rate limiting.
Automated detection and remediation of cloud misconfigurations across AWS, Azure, and GCP using CSPM and policy-as-code.
Operationalizing patch management: risk windows, testing pipelines, emergency patching, and measuring patch hygiene.
Building an ASM program from asset discovery through continuous monitoring: external, internal, and cloud attack surfaces.
Why CVSS alone fails and how to build risk-based prioritization using exploit intelligence, asset criticality, and environmental context.
CVE names vulnerabilities, CVSS scores their severity. Effective prioritization adds context with EPSS and SSVC.
Continue your mission